Invoking SNS from cross account using API Gateway

1
votes

I am having an API gateway end point in my AWS account which will invoke a SNS in another AWS account in same region.

The access policy in API gateway in my account is like follows

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic"
    }
]
}

The sns arn : arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic belongs to another AWS account in same region.

The json of the access policy configured in the above SNS is :

{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
 {
  "Sid": "__default_statement_ID",
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": [
    "SNS:Publish",
    "SNS:RemovePermission",
    "SNS:SetTopicAttributes",
    "SNS:DeleteTopic",
    "SNS:ListSubscriptionsByTopic",
    "SNS:GetTopicAttributes",
    "SNS:Receive",
    "SNS:AddPermission",
    "SNS:Subscribe"
  ],
  "Resource": "arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic",
  "Condition": {
    "StringEquals": {
      "AWS:SourceOwner": "604970532282"
    }
  }
},
{
  "Sid": "__console_pub_0",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::148445556582:root"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic"
}
]
 }

When I am invoking the API Gateway its showing the following error :

User: arn:aws:sts::148445556582:assumed-role/api_gateway_sns_role/BackplaneAssumeRoleSession is not 
authorized to perform: SNS:Publish on resource: arn:aws:sns:ap-southeast- 
1:604970532282:PublishSourceMsgTopic

I am able to invoke the SNS successfully if i am giving SNS topic which is configured in my AWS account.

What am I missing here?

1
amazon-web-servicesaws-api-gatewayamazon-snsamazon-ses

1 Answers

1
votes

You are giving permission for the root owner of the external account to publish on the topic, but the actual publish request is using the role of the API gateway.

So in your access policy, you'll need to give the publish permission to the role the API Gateway is using, not the role of root.

Typically what you would do is set "Principal": "*" and then add conditions under resource in the policy to match the account and arn of the resource accessing SNS from another account.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",
    "Action": "SNS:Publish",
    "Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
    "Condition": {
      "ArnLike": {
        "aws:SourceArn": "arn:aws:cloudwatch:us-east-2:111122223333:alarm:MyAlarm"
      }
    }
  }]
}

There are several example access policies here, that should help you.